PC unstable with blue screen every day

[Philippe Dusseaux]

Hello,
I've got blue screens everyday with windows 7 64 bits and one function of malwarebyte is automatically disable (protection against malware web sites).
With command com, command sfc /scannow says me that windows is OK.
I used free version avast and spybot too.
RogueKiller scan's result is:
RogueKiller V10.5.0.0 (x64) [Mar  2 2015] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Démarré en  : Mode normal
Utilisateur : Philippe [Administrateur]
Mode : Scan -- Date : 03/04/2015  20:25:41

¤¤¤ Processus : 0 ¤¤¤

¤¤¤ Registre : 7 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AKBSP (C:\Users\Philippe\AppData\Local\Temp\AKBSP.exe) -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AKBSP (C:\Users\Philippe\AppData\Local\Temp\AKBSP.exe) -> Trouvé(e)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AKBSP (C:\Users\Philippe\AppData\Local\Temp\AKBSP.exe) -> Trouvé(e)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trouvé(e)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1   localhost

¤¤¤ Antirootkit : 7 (Driver: Chargé) ¤¤¤
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\winhv.sys - IRP_MJ_CREATE[0] : Unknown @ 0x39ab2c0
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\winhv.sys - IRP_MJ_CLOSE[2] : Unknown @ 0x39ab2c0
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\winhv.sys - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0x39ab2c0
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\winhv.sys - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0x39ab2c0
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\winhv.sys - IRP_MJ_POWER[22] : Unknown @ 0x39ab2c0
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\winhv.sys - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0x39ab2c0
[IRP:Addr(Hook.IRP)] \SystemRoot\system32\drivers\winhv.sys - IRP_MJ_PNP[27] : Unknown @ 0x39ab2c0

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: ST31000528AS ATA Device +++++
--- User ---
[MBR] 94dad5a5cfc2b86fd02609e3119fe9b9
[BSP] 1d6185e095340d719fd6780d984ec6cd : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 119900 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 245762048 | Size: 300000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 860162048 | Size: 533867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST31000528AS ATA Device +++++
--- User ---
[MBR] b78754e4f34ee6d8e75220fbabd6b0ef
[BSP] ecac7669733fc276c5898de22449ff6f : Legit.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: MAXTOR STM3250310AS ATA Device +++++
--- User ---
[MBR] d54b99608686b8a0ddcbf09a324570ff
[BSP] 8ac97458e6ba8cd39edf206a047b06d2 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 238473 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive3: Generic USB SD Reader USB Device +++++
Error reading User MBR! ([15] Le périphérique n?est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )

+++++ PhysicalDrive4: Generic USB CF Reader USB Device +++++
Error reading User MBR! ([15] Le périphérique n?est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )

+++++ PhysicalDrive5: Generic USB SM Reader USB Device +++++
Error reading User MBR! ([15] Le périphérique n?est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )

+++++ PhysicalDrive6: Generic USB MS Reader USB Device +++++
Error reading User MBR! ([15] Le périphérique n?est pas prêt. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )


============================================
RKreport_SCN_03042015_055003.log

What do I do?
I think I've got some problems with  Reader USB Device and Legit.Unknown MBR Code too.
Thank you.

[Curson]

Hi Philippe,

Welcome to Adlice.com Forum!

BSOD are not always related to malwares. We will check.
Please download BlueScreenView (x64) and unzip the archive.

• Double click on BlueScreenView.exe to run the program.
• When scanning is done, go to EDIT - Select All.
• Go to FILE - SAVE Selected Items, and save the report as BSOD.txt.
• Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply.

Do you know what is the process AKBSP.exe ?
If that's not the case, please follow the following process to analyse the file.

1. Show Hidden Files and Folders

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:

•     Hide extensions for known file types
  
•     Hide protected operating system files (Recommended)
  

You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:

• Show hidden files and folders
  

Click Apply and then click OK

2. Upload a file

Go to VirusTotal
When the page has finished loading, click the Choose file button and navigate to the following file and click Send file.

Code: [Select]

C:\Users\Philippe\AppData\Local\Temp\AKBSP.exe
If you get the message that the file has already been scanned before, please click Reanalyse file now.
Please post back the results of the scan in your next post.

I think I've got some problems with  Reader USB Device and Legit.Unknown MBR Code too.

Generic readers don't have MBR, so such errors are expected. Regarding the "Legit.Unknown MBR Code" detection, that's simply means your computer's MBR code is related to any of the main PC manufacturers but is still perfectly legit.

Regards.

[Philippe Dusseaux]

Hello,
I haven't found KBSP.exe by following the path and after a research with the explorer of windows 7.
I think I remenber that one of my protection software (avast, malwarebyte, comodo) destroyed it.
I attach BSOD.txt created by bluescreenview-64.
Very long, isn't it?
notice: my motherboard is ASUS P5K and I haven't got the drivers to windows 7 but only windows XP drivers. It's a very old motherboard.
Thank you.

[Philippe Dusseaux]

Furthermore, with malwarebyte software, when windows 7 started, protection against malware web sites, rootkits search and auto-protect module activation options were disabled. I reinstalled malwarebyte and now all options are enable.
I think I have got a few bad rootkits and malwares.

[Curson]

Hi Philippe,

I'm really not convinced that your problems are caused by malware.
Regarding the BSOD file :

Code: [Select]

11:Caused By Address : ntoskrnl.exe+74ec0
40:Caused By Address : Ntfs.sys+81fc2
69:Caused By Address : ntoskrnl.exe+74ec0
98:Caused By Address : ntoskrnl.exe+74ec0
127:Caused By Address : ntoskrnl.exe+10faa2
156:Caused By Address : ntoskrnl.exe+74ec0
185:Caused By Address : ntoskrnl.exe+74ec0
214:Caused By Address : ntoskrnl.exe+7769a
243:Caused By Address : ntoskrnl.exe+74ec0
272:Caused By Address : ntoskrnl.exe+74ec0
301:Caused By Address : ntoskrnl.exe+74ec0
330:Caused By Address : tcpip.sys+163d94
359:Caused By Address : Ntfs.sys+4211
388:Caused By Address : ntoskrnl.exe+76e80
417:Caused By Address : hal.dll+15a4c
446:Caused By Address : ntoskrnl.exe+76e80
475:Caused By Address : ntoskrnl.exe+76e80
504:Caused By Address : ntoskrnl.exe+76e80
533:Caused By Address : ntoskrnl.exe+76e80
562:Caused By Address : ntoskrnl.exe+76e80
591:Caused By Address : tcpip.sys+7a180
620:Caused By Address : ntoskrnl.exe+76e80
649:Caused By Address : ntoskrnl.exe+76e50
678:Caused By Address : Ntfs.sys+b8ea4
707:Caused By Address : fltmgr.sys+4cb3
736:Caused By Address : ntoskrnl.exe+75bc0
765:Caused By Address : ntoskrnl.exe+75b90
794:Caused By Address : ntoskrnl.exe+75bc0
823:Caused By Address : ntoskrnl.exe+75bc0
852:Caused By Address : athrx.sys+21b0e
881:Caused By Address : ntoskrnl.exe+75bc0
910:Caused By Address : ntoskrnl.exe+75bc0
939:Caused By Address : ntoskrnl.exe+75bc0
968:Caused By Address : ntoskrnl.exe+75bc0
997:Caused By Address : Ntfs.sys+4211
1026:Caused By Address : ntoskrnl.exe+75bc0
1055:Caused By Address : Ntfs.sys+a4990
Many drivers are involved. In such cases, malwares are usully not responsible.

Even so, we are going to double-check.

TDSSKiller

• Please download TDSSKiller and save it to your Desktop.
  
• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
  
  
• Check Loaded Modules and Detect TDLFS file system. 
  
• If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
  
  
  
  
• Click Start Scan and allow the scan process to run.
  If threats are detected select Skip for all of them unless I instruct you otherwise.
  
• Click Continue
  
  
  
  
• Click Reboot computer
  

Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Please restart RogueKiller and remove the following entries :

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AKBSP (C:\Users\Philippe\AppData\Local\Temp\AKBSP.exe)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AKBSP (C:\Users\Philippe\AppData\Local\Temp\AKBSP.exe)
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\AKBSP (C:\Users\Philippe\AppData\Local\Temp\AKBSP.exe)

Please post the report obtained in your next reply.
How is the computer running now ?

Regards.

[Philippe Dusseaux]

My asus P5K motherboard is blocked on the start page. It's the end. So I bought a new gigabyte motherboard. I am installing all softwares and I am scanning all my hard drives with Kaspersky, spybot  and Malwarebyte. I am following your methods after in order to kill malwares and toolkits.
Thank you.

[Curson]

Hi Philippe,

My asus P5K motherboard is blocked on the start page. It's the end.

Sorry to hear that.
If you are going with a full system reinstall, my instructions are outdated since your system is clean.

I am installing all softwares and I am scanning all my hard drives with Kaspersky, spybot  and Malwarebyte.

Using Spybot S&D is no longer recommended due to poor testing results.
Further, most people don't understand how to use Spybot's TeaTimer and that feature can cause more problems than it's worth. Additionally, it may conflict with other security tools which do a much better job of protecting your computer and in some cases it will even prevent disinfection of malware by those tools.

Regards.